VDB

CVE-2026-46817

CVE-2026-46817 PUBLISHED KEV CVSS 9.800000190734863 CRITICAL

We want to highlight the following vulnerabilities due to their severity and potential impact. CVE-2026-46840 affects the Backend-as-a-Service component of Oracle REST Data Services versions 24.2.0 through 26.1.0. The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTPS, requiring no user interaction. Oracle has indicated a scope change, meaning exploitation can extend impact beyond the directly vulnerable product to other dependent systems. Successful exploitation results in full takeover of Oracle REST Data Services. CVE-2026-46817 affects the File Transmission component of the Oracle Payments module within Oracle E-Business Suite versions 12.2.3 through 12.2.15. The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP, requiring no user interaction. Successful exploitation results in full takeover of Oracle Payments.

EPSS 0.11% · 29.7th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.11%
29.7th percentile

Affected Products

VendorProductVersions
OracleOracle Hospitality Applications
OracleOracle E-Business Suite
OracleOracle Database Server
OracleOracle REST Data Services
OracleOracle Communications

Timeline

  • May 28, 2026 CVE Published
  • May 28, 2026 CVE Updated
  • May 29, 2026 EPSS Score
  • May 30, 2026 EPSS Score
  • May 31, 2026 EPSS Score
  • Jun 1, 2026 EPSS Score
  • Jun 2, 2026 Security Advisory
  • Jun 4, 2026 Coalition ESS Score
  • Jun 5, 2026 EPSS Score
  • Jul 15, 2026 CISA KEV Added
Open in Interactive Console →
$ Console Community · 100/wk Open console ›